The growing problems associated with security exploits within the architecture of the Internet are of significant concern to network providers. Networks and network devices are increasingly affected by the damages caused by Denial of Service (“DoS”) attacks. A DoS attack is defined as an action taken upon on a computer network or system by an offensive external device that prevents any part of the network from functioning in accordance with its intended purpose. This attack may cause a loss of service to the users of the network and its network devices. For example, the loss of network services may be achieved by flooding the system to prevent the normal servicing for performing legitimate requests. The flooding may consume all of the available bandwidth of the targeted network or it may exhaust the computational resources of the targeted system.
A DDoS attack is a more aggressive action that involves multiple offensive devices performing an attack on a single target computer network or system. This attack may be performed in a coordinated manner by these multiple external devices to attack a specific resource of a service provider network. The targeted resource can be any networking device such as routers, Internet servers, electronic mail servers, DNS servers, etc. Examples of a DDoS attack include (but are not limited to): large quantities of raw traffic designed to overwhelm a resource or infrastructure; application specific traffic designed to overwhelm a particular service; traffic formatted to disrupt a host from normal processing; traffic reflected and/or amplified through legitimate hosts; traffic originating from compromised sources or from spoofed IP addresses; and pulsed attacks (which start/stop attacks). Further, it is to be understood DDoS attacks are typically categorized as: TCP Stack Flood Attacks (e.g., flood a certain aspect of a TCP connection process to keep the host from being able to respond to legitimate connections (which may also be spoofed)); Generic Flood Attacks (e.g., consists of a flood of traffic for one or more protocols or ports, which may be designed to appear like normal traffic which may also be spoofed)); Fragmentation Attacks (e.g., consists of a flood of TCP or UDP fragments sent to a victim to overwhelm the victim's ability to re-assemble data streams, thus severely reducing performance); Application Attacks (e.g., attacks designed to overwhelm components of specific applications); Connection Attacks (e.g., attacks that maintain a large number of either ½ open TCP connections or fully open idle connections); and Vulnerability Exploit Attacks (e.g., attacks designed to exploit a vulnerability in a victim's operating system).
One or more DDoS attack mitigation strategies applied to portions of the network traffic received from a host at a mitigation device may include taking one or more actions to validate the host as legitimate. A predefined mitigation action associated with a DDoS attack can include sending responses to one or more hosts and examining their responses. At least in some instances, this predefined mitigation action can be challenging because based upon the response of the host a different host validation procedure is carried out by a mitigation device. In conventional attack mitigation systems, a mitigation device validates a host using a first validation algorithm, and if the first validation algorithm fails to correctly validate the host as legitimate, then the mitigation device validates the host using a second validation algorithm. If the second validation algorithm fails to correctly validate the host as legitimate, then a third validation algorithm is used by a mitigation device, and so on. As a result, this conventional real-time method of validation of hosts, typically, causes poor user experience for the host being tested (slower website performance, etc.). Slower website performance is known to cause users/visitors to leave the website sooner. Another consequence of poor performance is that the website may be downgraded in search engine results ranking. Therefore, the ability to efficiently test each host and improve user experience, while preventing blocking of valid hosts is advantageous to devices located in a protected network.